A large enterprise can have many hundreds or thousands of branch offices or retail sites and one or more centralized data centers that service these sites. Each of these sites has a branch router and each central data center site has one or more hub network elements. Such a large enterprise would like to use the Internet to carry traffic between these sites to reduce the cost versus traditional multi-protocol label switching (MPLS) virtual private networks (VPNs). Because the traffic is carried over the public Internet, the traffic is secured, typically using Internet Protocol Security (IPSec) tunnels. Given thousands of branch network elements in the network, the establishment of IPSec security associations between each branch office and/or retail site is a considerable configuration and management scaling issue, as each IPSec tunnel needs to be configured separately on each possible router pair. When one new branch router is added to the mix, all the remaining network elements must be updated to learn of the new router. Furthermore, the establishment and management of thousands of IPSec security associations increases the scaling requirements of the network elements themselves in terms of the number of security associations they can maintain and the computational resources required to maintain those associations.
However, branch-to-branch traffic is something quite rare. A given branch might be actively communicating with a small fraction (less than 10%) of the other branch network elements. So many of the resources allocated to establish and maintain the IPSec associations are not put to use.
A second issue, and a weakness with existing IPSec tunnel solutions, is that IPSec tunnels are not multi-tenant in nature. To support multiple virtual routing and forwarding (VRF) instances in a branch network element, a separate IPSec tunnel is provisioned to handle each VRF instance. Thus, customers are forced to potentially configure multiple IPSec tunnels to handle the multitude of VRFs maintained at each site.